Proof Of Concept Attack Shows How A Hacker Could Use A Hole In Facebook To Delete Your Friends List

When you are a web site that is as big as Facebook there are bound to be many bugs and vulnerabilities that will slip past you.

It happens in non-web based software, it is going to happen in web-based software as well.

When you have a project that becomes as big as Facebook is the code becomes very complicated – we are talking about millions and millions of lines of code that must be maintained and kept to make sure that there is no way that someone can take advantage of a mistake.

Even with all of these precautions, however, there is still a chance that someone will be able to get through.

They will be able to see a hole that no-one has previously been able to see and use it for some kind of exploit and that is what this hole is.

The hole is a way for someone to be able to take the code that is in Facebook and create a problem for the end users.

The hole is based on a CSRF attack.

Cross Site Resource Forgery Attack

A CSRF attack is also known as a Cross Site Resource Forgery attack.

An attack such as this allows you to trick a person that is already logged into one of their accounts and change some of the information that is on there.

Using this technique on Facebook, an attacker was able to set up a proof of concept attack that would allow a person to hijack another person’s account and change some of the data on their without the original person knowing.

In the proof of concept attack they only deleted the user’s friends.

Theoretically, they could do a whole lot more than that though.

They could change information on there that would either trick you or the people on your friends list into giving up very valuable information about them.

An attack like this cannot be underestimated.

When a person has the ability to be able to manipulate another person’s logged in account there is no telling what kind of damage that they could do.

This type of attack has happened in other areas such as with peoples’ bank accounts – they were able to use the same techniques they used with Facebook and get people to send all of the money in their accounts to people that they didn’t know.

So far it seems that Facebook has taken this security hole seriously and has already patched it up but it is unfortunate that this had to happen since it is just one in the latest of security holes that Facebook has seen against its web site.

The more popular that Facebook gets, and the bigger that the code base grows, the more they are going to see this type of attack.

This is why both Facebook and the users of the service must be vigilant against these types of attacks.

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Trackbacks

  1. […] This post was mentioned on Twitter by Dave, Lee. Lee said: Proof Of Concept Attack Shows How A Hacker Could Use A Hole In Facebook To Delete Your Friends List http://bit.ly/aXhne4 […]

Speak Your Mind

*